As a software provider for the AEC industry, the Nemetschek Group manages few customer or personal data directly, since the software products are mainly installed and operated on premises, which means in our customers' IT environment. Therefore, the concrete data protection and data security risk is generally considered moderate.

Nonetheless, the Nemetschek Group is taking responsibility and committing itself group-wide to careful handling of our employees', customers' and partners' data. They can be sure that their data is secure at the Nemetschek Group and is processed in compliance with the relevant laws and regulations. Prevention of data loss, as well as ensuring the confidentiality, availability and integrity of our data, is very important to the Nemetschek Group.

The Nemetschek Group is aware that increasing digitization and networking raises data protection/privacy and data security risks. For this reason, the Group explicitly focuses on the areas of privacy/data protection and data security.

Therefore, in keeping with its organizational structure, the Nemetschek Group pursues an largely decentralized approach that provides for central monitoring processes and support (starting with the parent company), but also places responsibility on the brand companies (direct responsibility of the brands).

Privacy and data security are joint tasks of all Nemetschek Group employees, to which all areas have committed themselves as part of the group-wide Code of Conduct.
Compliance with privacy regulations and processes is regularly inspected either through external service providers or the Corporate Audit department as part of the general audit of business processes in collaboration with the Corporate Legal & Compliance and the Corporate IT departments.

Data protection (privacy)
As part of implementing the VO (EU) EU directive 2016/679 "GDPR", in fiscal year 2018, data protection and compliance processes were implemented and further developed throughout the Group.

Data Protection

Among other things, a group-wide policy was created that all brands must respect and implement. This included adoption of a comprehensive "Group Data Protection Guideline" and providing of a number of practical documents ("templates") that are available at all times on the Group's intranet, both in German and in English.

When assuming their responsibilities, all new employees are instructed in handling sensitive/personal data and obligated to confidentiality through their employment contract. Moreover, all employees of the Nemetschek Group (not only European employees) are obligated to undergo privacy/data protection training and to document successful completion.
An e-learning training, that was created particularly for the topic privacy is offered both in German and in English. Strategically important areas (such as management, personnel and marketing) underwent classroom training in privacy as early as 2018.

Furthermore, website adaptations for data protection (such as the privacy policy, information obligations for applicants, cookies, banners, etc.) were made, along with establishment of group-wide standard order processing contracts and procedural logs for major data handling processes. Personal data is handled on a need-to-know basis (information passed on only to knowledge carriers of immediate importance to the project) with corresponding internal and external access and authorization concepts. Consent is always obtained for creation and use of employee photos/videos if the creation and use cannot be supported by legitimate interests.

As far as the law requires, company privacy officers (internal and external) have been appointed within the companies, and regular professional communication takes place with them as needed.

Processes for meeting legal reporting requirements and deadlines (such as to supervisory authorities) have been set up. All Nemetschek Group employees have the opportunity to report any violations of data protection regulations or company guidelines through the existing whistleblower system. The Nemetschek Group takes every notification on possible violation of data protection regulations very seriously and takes the initiative to clarify the reported matter as quickly as possible.

Data Security
Measures taken at group level include providing contact people at headquarters, definition of reporting paths, and ensuring regular professional communication on security-related issues between the brand companies and the parent company.

To protect against risks, a group-wide cyber-security insurance was taken out in fiscal year 2017 covering all brands in the Group.

To inform employees of current threats and to raise awareness of potential hazard sources, centrally initiated awareness campaigns, notifications and training on cyber-security are provided regularly on selected topics (e.g. on social engineering).

Product-related data security
Nemetschek Group products are developed to the latest state of the art taking into account data security aspects. The vast majority of Nemetschek Group products are installed on locally “on premises” at the customers.

In the subscription model, software solutions are offered both “on premises” and in the cloud. Hosting of cloud solutions, which make up a relatively small portion of the Nemetschek Group product portfolio, is primarily offered in external data centers. To ensure an appropriate level of security, the Group collaborates only with reputable data center providers, and customer data are strictly separated by customer.

Company-related data security organization (Group IT and Group companies)
the Nemetschek Group takes an largely decentralized approach regarding data security. The Nemetschek Group consists of 16 largely independent brands, the responsibility to ensure an appropriate level of data security protection lies with the brand companies.

Here the Nemetschek Group's brands always take technical and organizational measures to ensure that data security is at the state of the art, monitoring them continuously, and developing them further when necessary. This includes, among other measures, the use of virus scanners, firewalling concepts, backup concepts, testings, and various other technical control mechanisms.